Why did Stuxnet worm spread?

Propagation hints that first attack failed, say researchers

Stuxnet's inability to stay stealthy may be fall-out from a failure to hit its intended targets last year, security researchers said today.

The worm, which was designed to infiltrate heavy-duty industrial control programs that monitor and manage factories, oil pipelines, power plants and other critical installations, only popped onto researchers' radars this summer, nearly a year after it was likely first launched.

"Obviously, it spread beyond its intended target or targets," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab, one of the two security companies that has spent the most time analyzing Stuxnet.

Most researchers have agreed that Stuxnet's sophistication -- they've called it "groundbreaking" -- means that it was almost certainly built by a well-financed, high-powered team backed by a government. The worm's probable target was Iran, possibly the systems in its budding nuclear power program.

Earlier this week, Iranian officials acknowledged that tens of thousands of Windows PCs had been infected with Stuxnet, including some in place at a nuclear power plant in southwestern Iran. They have denied that the attack had damaged any facilities, however, or that Stuxnet contributed to well-known delays in the reactor's construction.

But if Stuxnet was aimed at a specific target list, why has it spread to thousands of PCs outside Iran, in countries as far flung as China and Germany, Kazakhstan and Indonesia?

"That's something we find puzzling," said Liam O Murchu, operations manager with Symantec's security response, and a co-author of a paper that analyzed the worm's code.

Even though the Stuxnet makers obviously included measures to limit its spread, something went amiss, O Murchu said.

The original infection method, which relied on infected USB drives, included a counter that limited the spread to just three PCs, said O Murchu. "It's clear that the attackers did not want Stuxnet to spread very far," he said. "They wanted it to remain close to the original infection point."

O Murchu's research also found a 21-day propagation window; in other words, the worm would migrate to other machines in a network only for three weeks before calling it quits.

Those anti-propagation measures notwithstanding, Stuxnet has spread widely. Why?

Kaspersky's Schouwenberg believes it's because the initial attack, which relied on infected USB drives, failed to do what Stuxnet's makers wanted.

"My guess is that the first variant didn't achieve its target," said Schouwenberg, referring to the worm's 2009 version that lacked the more aggressive propagation mechanisms, including multiple Windows zero-day vulnerabilities. "So they went on to create a more sophisticated version to reach their target."

That more complex edition, which O Murchu said was developed in March of this year, was the one that "got all the attention," according to Schouwenberg. But the earlier edition had already been at work for months by then -- and even longer before a little-known antivirus vendor from Belarus first found it in June. "The first version didn't spread enough, and so Stuxnet's creators took a gamble, and abandoned the idea of making it stealthy," said Schouwenberg.

In Schouwenberg's theory, Stuxnet's developers realized their first attempt had failed to penetrate the intended target or targets, and rather than simply repeat the attack, decided to raise the ante.

"They spent a lot of time and money on Stuxnet," Schouwenberg said. "They could try again [with the USB-only vector] and maybe fail again, or they could take the risk of it spreading by adding more functionality to the worm."

O Murchu agreed that it was possible the worm's creators had failed to infect, and thus gain control, of the industrial systems running at their objective(s), but said the code itself didn't provide clear clues.

What is clear, O Murchu said in a news conference Friday morning, is that Stuxnet evolved over time, adding new ways to spread on networks in the hope of finding specific PLCs (programming logic control) hardware to hijack. "It's possible that [the attackers] didn't manage to get to all of their targets [with the earlier version]," O Murchu said. "The increased sophistication of Stuxnet in 2010 may indicate that they had not reached their target."

With the proliferation of Stuxnet, Schouwenberg said that the country or countries that created the worm may have themselves been impacted by its spread. But that was likely a calculated risk the worm's developers gladly took.

And that risk may have been quite small. "Perhaps they knew that their own critical infrastructure wouldn't be affected by Stuxnet because it's not using Siemens PLCs," Schouwenberg said.

Stuxnet only tried to grab control of PLCs manufactured by German electronics giant Siemens, which has supplied large amounts of industrial control hardware and software to Iran.

O Murchu's research seemed to back up Schouwenberg's speculation. "Stuxnet looks to see that a specific type of PLCs are present," he said today. "Those are quite popular models, but it does show that they knew what hardware was being used at the target or targets." Additionally, the code only infected PLCs that used a specific model of network card.

The identity of Stuxnet's makers may never be known, both Schouwenberg and O Murchu said. However, some clues in the code point to Israel , or at least the hackers wanted everyone to think Israel was behind the cyber attack against Iran.

"But as long as no one takes responsibility for the attack, the authors really had nothing to lose by letting the worm spread," said Schouwenberg.

Read more about security in Computerworld's Security Topic Center.

Join the PC World newsletter!

Error: Please check your email address.

Tags securityWindowssoftwareMalware and Vulnerabilitiesoperating systemskaspersky lab

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?